From here you get that in step 2 of ECDSA sign process, you use
z, the Ln leftmost bits of e = HASH(message/transaction) in both the process of generating and verifing the signature.

I understand that in bitcoin transactions signature and verification you do almost the same algorithm.

So...

You know that adress A has a transaction x to it that values in 1 BTC not spent.

You know also a transaction y1 from A with a certain signature and a certain value z1, as the algorithm in the link says.

Could you create a transaction y2 so that it sends the 1 BTC from A to adress B by creating it in a way that it had the same z1 (mentioned above) and consequently the same signature of y1? (since signature depends only on message (z), private key and the random value k)

1 Answer
1

Yes, but that is hard. This is known as a collision, and you would be finding a collision in SHA256. Because you would be reusing a known hash, what you would be doing is performing a preimage attack. Since SHA256 has no known preimage attack for all 64 rounds done in a normal SHA256 hash, you would need to do 2^256 hashes in order to be guaranteed to have found a colliding preimage for that hash.

This is why a cryptographically secure hash is used for signing operations.